Everything you need to design, implement, and test a backup strategy that survives ransomware. Covers cloud, on-premise, and hybrid scenarios for small and medium businesses.
3-2-1
Backup Rule
40%
SMBs fail in 6mo
<$1K
Recovery cost gap
0
Times backups tested
📐The 3-2-1 Rule — Foundation of Every Backup Strategy
The 3-2-1 backup rule is the gold standard for data protection: it guarantees redundancy even when one backup medium fails, one location burns down, and one backup gets corrupted — simultaneously.
3
Copies of data (original + 2 backups)
→
2
Different media types (e.g., disk + cloud)
→
1
Offsite copy (air-gapped or immutable)
Layer
Example
Why It Matters
Original data
Production files, databases, VMs
Live working data
Backup #1 (local)
External HDD / NAS on premises
Fast restore; human error recovery
Backup #2 (offsite)
Cloud storage (S3, B2, Azure Blob)
Fire, theft, natural disaster protection
⚠Critical anti-ransomware addition: At least one backup must be immutable (write-once, delete-impossible) or air-gapped (offline). Ransomware specifically targets backup systems because attackers know backups are your last defense. If your offsite backup is deletable by your admin credentials, attackers can delete it too.
📦What to Back Up — Priority by System Type
Not all data is equally critical. Prioritize based on Recovery Point Objective (RPO) — how much data loss is acceptable — and business impact.
System / Data
Priority
RPO
RTO
Method
Customer database / ERP
Critical
15 min
1 hr
Continuous replication + hourly snapshots
Financial records
Critical
1 hr
4 hrs
Daily incremental + continuous
Email (Microsoft 365 / Google)
High
1 hr
4 hrs
Native SaaS backup + third-party
File servers / shared drives
High
1 hr
8 hrs
Incremental file-level backup
Websites / web applications
High
24 hrs
2 hrs
Daily snapshot + code repo
Workstations / endpoints
Medium
24 hrs
24 hrs
Image backup or folder sync
Archive / compliance records
Medium
N/A
1 week
Monthly archive to cold storage
RPO = Recovery Point Objective: how much data can you afford to lose (measured in time). RTO = Recovery Time Objective: how long can the system be down. Both must be defined and tested — not guessed.
[ AdSense Slot 1 — mid Backup Strategy ]
☁Cloud Backup Platforms — SMB Comparison
Platform
Type
Key Feature
Immutable Option
Starting Cost
Backblaze B2
Object storage
Simple, unlimited backup clients
Yes (B2 Cloud Lock)
$0.006/GB/mo
AWS S3 + Object Lock
Object storage
WORM-compliant immutability
Yes (Object Lock)
$0.023/GB/mo (S3 Standard)
Wasabi Hot Storage
Object storage
No egress fees; cheap
Yes (Immutability)
$0.007/GB/mo
Azure Blob + Immutable
Object storage
WORM policies; long-term
Yes (Blob immutability)
$0.018/GB/mo (Hot)
Veeam Backup
Backup software
Agent + image backup; VMware/KVM
Via target storage
$0.005/VM/mo (Veeam Backup CE)
Acronis Cyber Protect
All-in-one
Backup + AV + anti-ransomware
Yes (Acronis Notary)
$9.99/workstation/mo
Recommendation for most SMBs: Backblaze B2 + Veeam Backup Community Edition + B2 Cloud Lock (immutable) = ~$0.01/GB/mo with enterprise-grade immutability. Free Veeam CE for up to 10 workloads.
🔒Ransomware-Specific Hardening
Standard backups are not enough against modern ransomware. Sophisticated variants wait silently for days or weeks, then encrypt backups before triggering the ransom note. Design backups to survive this:
Immutable backup copies
Enable WORM (Write Once, Read Many) or Object Lock on your cloud backup. Set a minimum retention of 30 days immutability. Cost: ~$0.01/GB/mo. This alone defeats most ransomware attacks.
Separate backup admin credentials
The account used to manage backups must be separate from regular admin accounts. Attackers who compromise Domain Admin cannot access backup administration. Use a dedicated backup admin account with MFA and no other permissions.
Air-gap at least one copy
Connect an external HDD for weekly backups and disconnect it from the network after. Store it offsite. A fully offline backup cannot be encrypted by any software — it survives even full domain compromise.
Alert on backup deletion attempts
Any attempt to delete or modify immutable backups should trigger an immediate alert (email + SMS). Ransomware often deletes backups 24–72 hours before the ransom note appears. Alerting early gives you time to act.
Test restoration quarterly
Quarterly: restore a random file from backup and verify contents. Annually: full DR drill — simulate a complete site failure and restore from scratch using only documented procedures. Document the time it took and what went wrong.
[ AdSense Slot 2 — bottom Backup Strategy ]
Backup Testing Checklist
A backup that has never been tested is not a backup — it is a hope. Run this checklist quarterly.
Verify backup jobs ran successfully for the last 30 days (check logs)
Restore a random file from each backup location and verify contents are correct
Test restore speed: measure time from "start restore" to "file accessible" — does it meet your RTO?
Confirm immutability is active: attempt (and verify failure of) deletion of an immutable object
Verify backup encryption: check that backup data at rest is encrypted (AES-256) and keys are stored separately
Check backup admin account: confirm it has MFA enabled and separate credentials from general admin
Validate offsite copy: confirm offsite/cloud backup completed within the last 24 hours
Review retention policy: ensure old backups are expiring correctly and not accumulating unnecessary cost
Test alerting: trigger a test alert to confirm backup failure notifications reach the right people
Full DR drill (annually): document procedure, time taken, and lessons learned
Before running a DR drill: Ensure you have a documented runbook that a non-technical person could follow. After the drill, update the runbook with any corrections. The person running the drill at 2 AM will not be you — make sure it works for them.
Microsoft 365 / Google Workspace — Don't Trust the Recycle Bin
A common misconception: "We're using Microsoft 365, our data is in the cloud, we're fine." Microsoft operates under a shared responsibility model. They guarantee infrastructure uptime — not your data from accidental deletion, insider threats, or ransomware.
Risk
Microsoft Default Retention
Your Exposure
Accidental deletion
93 days (Recycle Bin)
Data gone after empty Recycle Bin
Ransomware (OneDrive sync)
No automatic protection
Ransomware encrypts local + synced copy
Insider threat / rogue admin
No automatic protection
All data can be permanently deleted
Regulatory retention
No retention policy by default
Data required for compliance may be gone
Solution: Use a third-party M365 backup service (Spinbackup, Dropsuite, Veritas Alta, or Veeam for M365) that stores backups independently of your M365 tenant. This ensures you can restore even if your M365 admin account is compromised.
Disclaimer: This guide provides general informational content about SMB cybersecurity and IT management. Topics covered are based on publicly available industry guidance (e.g., CISA, NIST, FBI IC3) and accepted best practices. This content is not a substitute for professional legal, technical, or compliance advice specific to your organization.